Guest User

forcewall.sh

a guest
May 30th, 2021
62
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/bash
  2.  
  3. SPECIAL_ADDRS='255.255.255.255/32 240.0.0.0/4 233.252.0.0/24 224.0.0.0/4 203.0.113.0/24 198.51.100.0/24 198.18.0.0/15 192.168.0.0/16 192.88.99.0/24 192.0.2.0/24 192.0.0.0/24 172.16.0.0/12 169.254.0.0/16 127.0.0.0/8 100.64.0.0/10 10.0.0.0/8 0.0.0.0/8'
  4.  
  5. # ---
  6.  
  7. umask 0022
  8.  
  9. [ $EUID != 0 ] && echo run as root! && exit
  10.  
  11. # ---
  12.  
  13. if [ "$1" == "-F" ]; then
  14.   iptables -F; iptables -t nat -F; iptables -P INPUT ACCEPT; iptables -P FORWARD ACCEPT; iptables -P OUTPUT ACCEPT; iptables -nvL; iptables -t nat -nvL
  15.   chattr -f -i /etc/resolv.conf; echo nameserver 1.1.1.1 > /etc/resolv.conf; chattr -f +i /etc/resolv.conf
  16.   exit
  17. fi
  18.  
  19. # ---
  20.  
  21. apt update
  22. apt install tor
  23.  
  24. # ---
  25.  
  26. iptables -F; iptables -t nat -F
  27. iptables -P INPUT DROP; iptables -P FORWARD DROP; iptables -P OUTPUT DROP
  28.  
  29. # ---
  30.  
  31. iptables -A INPUT -m state --state INVALID -j DROP
  32. iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
  33. iptables -A INPUT -i lo -j ACCEPT
  34. iptables -A INPUT -j DROP
  35.  
  36. # ---
  37.  
  38. iptables -A FORWARD -j DROP
  39.  
  40. # ---
  41.  
  42. iptables -A OUTPUT -m state --state INVALID -j DROP
  43. iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
  44.  
  45. iptables -A OUTPUT -p udp -d 127.0.0.1 --dport 9053 -j ACCEPT
  46. iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport 9040 --syn -j ACCEPT
  47.  
  48. iptables -A OUTPUT -p tcp -m owner --uid-owner debian-tor -m state --state NEW --syn -j ACCEPT
  49. iptables -A OUTPUT -o lo -j ACCEPT
  50.  
  51. for special_addr in $SPECIAL_ADDRS; do
  52.   iptables -A OUTPUT -d $special_addr -j DROP
  53. done
  54.  
  55. iptables -A OUTPUT -j DROP
  56.  
  57. # ---
  58.  
  59. iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination='127.0.0.1:9053'
  60. iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 --syn -j DNAT --to-destination='127.0.0.1:9040'
  61.  
  62. iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner debian-tor --syn -j RETURN
  63. iptables -t nat -A OUTPUT -o lo -j RETURN
  64.  
  65. for special_addr in $SPECIAL_ADDRS; do
  66.   iptables -t nat -A OUTPUT -d $special_addr -j RETURN
  67. done
  68.  
  69. iptables -t nat -A OUTPUT -p tcp --syn -j DNAT --to-destination='127.0.0.1:9040'
  70.  
  71. # ---
  72.  
  73. ip6tables -F; ip6tables -t nat -F
  74. ip6tables -P INPUT DROP; ip6tables -P FORWARD DROP; ip6tables -P OUTPUT DROP
  75. ip6tables -A INPUT -j DROP; ip6tables -A FORWARD -j DROP; ip6tables -A OUTPUT -j DROP
  76.  
  77. # ---
  78.  
  79. iptables -nvL; iptables -t nat -nvL
  80.  
  81. # ---
  82.  
  83. {
  84.   echo DNSPort 127.0.0.1:9053
  85.   echo AutomapHostsOnResolve 1
  86.   echo AutomapHostsSuffixes .onion
  87.   echo
  88.   echo TransPort 127.0.0.1:9040
  89.   echo VirtualAddrNetwork 10.192.0.0/10
  90. } > /etc/tor/torrc && systemctl restart tor
  91.  
  92. # ---
  93.  
  94. chattr -f -i /etc/hosts.allow && > /etc/hosts.allow && chattr -f +i /etc/hosts.allow
  95. chattr -f -i /etc/hosts.deny && echo ALL:ALL > /etc/hosts.deny && chattr -f +i /etc/hosts.deny
  96. chattr -f -i /etc/resolv.conf && echo nameserver 127.0.0.1 > /etc/resolv.conf && chattr -f +i /etc/resolv.conf
RAW Paste Data